From ad611d2696701b611d2ef9dfe93567ecf6cb338d Mon Sep 17 00:00:00 2001
From: Theron Luhn <theron@luhn.com>
Date: Sat, 27 Apr 2019 14:51:57 -0700
Subject: Add simple integration tests for security.

---
 tests/pkgs/legacysecurityapp/__init__.py | 37 ++++++++++++++++++++++++++++
 tests/pkgs/securityapp/__init__.py       | 41 +++++++++++++++++++++++++++++++
 tests/test_integration.py                | 42 ++++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+)
 create mode 100644 tests/pkgs/legacysecurityapp/__init__.py
 create mode 100644 tests/pkgs/securityapp/__init__.py

diff --git a/tests/pkgs/legacysecurityapp/__init__.py b/tests/pkgs/legacysecurityapp/__init__.py
new file mode 100644
index 000000000..12fb6104e
--- /dev/null
+++ b/tests/pkgs/legacysecurityapp/__init__.py
@@ -0,0 +1,37 @@
+from pyramid.response import Response
+from pyramid.authentication import RemoteUserAuthenticationPolicy
+from pyramid.security import Allowed, Denied
+
+
+class AuthorizationPolicy:
+    def permits(self, context, principals, permission):
+        if 'bob' in principals and permission == 'foo':
+            return Allowed('')
+        else:
+            return Denied('')
+
+    def principals_allowed_by_permission(self, context, permission):
+        raise NotImplementedError()  # pragma: no cover
+
+
+def public(context, request):
+    return Response('Hello')
+
+
+def private(context, request):
+    return Response('Secret')
+
+
+def inaccessible(context, request):
+    raise AssertionError()  # pragma: no cover
+
+
+def includeme(config):
+    config.set_authentication_policy(RemoteUserAuthenticationPolicy())
+    config.set_authorization_policy(AuthorizationPolicy())
+    config.add_route('public', '/public')
+    config.add_view(public, route_name='public')
+    config.add_route('private', '/private')
+    config.add_view(private, route_name='private', permission='foo')
+    config.add_route('inaccessible', '/inaccessible')
+    config.add_view(inaccessible, route_name='inaccessible', permission='bar')
diff --git a/tests/pkgs/securityapp/__init__.py b/tests/pkgs/securityapp/__init__.py
new file mode 100644
index 000000000..6ddba585b
--- /dev/null
+++ b/tests/pkgs/securityapp/__init__.py
@@ -0,0 +1,41 @@
+from pyramid.response import Response
+from pyramid.security import Allowed, Denied
+
+
+class SecurityPolicy:
+    def identify(self, request):
+        return request.environ.get('REMOTE_USER')
+
+    def permits(self, request, context, identity, permission):
+        if identity and permission == 'foo':
+            return Allowed('')
+        else:
+            return Denied('')
+
+    def remember(self, request, userid, **kw):
+        raise NotImplementedError()  # pragma: no cover
+
+    def forget(self, request):
+        raise NotImplementedError()  # pragma: no cover
+
+
+def public(context, request):
+    return Response('Hello')
+
+
+def private(context, request):
+    return Response('Secret')
+
+
+def inaccessible(context, request):
+    raise AssertionError()  # pragma: no cover
+
+
+def includeme(config):
+    config.set_security_policy(SecurityPolicy())
+    config.add_route('public', '/public')
+    config.add_view(public, route_name='public')
+    config.add_route('private', '/private')
+    config.add_view(private, route_name='private', permission='foo')
+    config.add_route('inaccessible', '/inaccessible')
+    config.add_view(inaccessible, route_name='inaccessible', permission='bar')
diff --git a/tests/test_integration.py b/tests/test_integration.py
index 72465dc93..331542d7d 100644
--- a/tests/test_integration.py
+++ b/tests/test_integration.py
@@ -521,6 +521,48 @@ class TestExceptionViewsApp(IntegrationBase, unittest.TestCase):
         self.assertTrue(b'caught' in res.body)
 
 
+class TestSecurityApp(IntegrationBase, unittest.TestCase):
+    package = 'tests.pkgs.securityapp'
+
+    def test_public(self):
+        res = self.testapp.get('/public', status=200)
+        self.assertEqual(res.body, b'Hello')
+
+    def test_private_denied(self):
+        self.testapp.get('/private', status=403)
+
+    def test_private_allowed(self):
+        self.testapp.extra_environ = {'REMOTE_USER': 'bob'}
+        res = self.testapp.get('/private', status=200)
+        self.assertEqual(res.body, b'Secret')
+
+    def test_inaccessible(self):
+        self.testapp.get('/inaccessible', status=403)
+        self.testapp.extra_environ = {'REMOTE_USER': 'bob'}
+        self.testapp.get('/inaccessible', status=403)
+
+
+class TestLegacySecurityApp(IntegrationBase, unittest.TestCase):
+    package = 'tests.pkgs.legacysecurityapp'
+
+    def test_public(self):
+        res = self.testapp.get('/public', status=200)
+        self.assertEqual(res.body, b'Hello')
+
+    def test_private_denied(self):
+        self.testapp.get('/private', status=403)
+
+    def test_private_allowed(self):
+        self.testapp.extra_environ = {'REMOTE_USER': 'bob'}
+        res = self.testapp.get('/private', status=200)
+        self.assertEqual(res.body, b'Secret')
+
+    def test_inaccessible(self):
+        self.testapp.get('/inaccessible', status=403)
+        self.testapp.extra_environ = {'REMOTE_USER': 'bob'}
+        self.testapp.get('/inaccessible', status=403)
+
+
 class TestConflictApp(unittest.TestCase):
     package = 'tests.pkgs.conflictapp'
 
-- 
cgit v1.2.3